Security Operations Tools
SIEM Query Reference
Search SIEM query concepts by platform or detection approach. Covers Splunk SPL, Elastic EQL/KQL, Microsoft Sentinel KQL, Sigma rules, and detection-as-code.
No data is transmitted — everything runs locallyTool
About this tool
SIEM Query Reference
The SIEM Query Reference covers Splunk SPL, Elastic EQL/KQL, Microsoft Sentinel KQL, Sigma rules, YARA, and detection-as-code patterns.
• Look up Splunk SPL syntax before writing a detection rule
• Reference Sentinel KQL aggregation before a threat hunting query
• Find Sigma rule format before implementing detection-as-code
• Reference Elastic EQL sequence syntax for a multi-event detection
Next step
Attack Surface Calculator — Calculate external attack surface score from internet-facing services, open ports, and unprotected accounts.
Open Attack Surface Calculator →
FAQ
What does this tool tell you?
The SIEM Query Reference covers Splunk SPL, Elastic EQL/KQL, Microsoft Sentinel KQL, Sigma rules, YARA, and detection-as-code patterns.
What affects the result most?
Splunk SPL: sourcetype=syslog | stats count by src_ip | where count > 1000 — pipe-based query. Elastic (EQL/KQL): event.category:authentication AND event.outcome:failure — field:value query. Microsoft Sentinel (KQL): SecurityEvent | where EventID == 4625 | summarize count() by Account.
How should I use the result?
Use this tool to orient quickly to the concepts, field names, or values you are about to look up in a full specification or vendor documentation. It summarizes the common cases; the authoritative source remains whichever standard or vendor doc defines the values themselves.
Related tools